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Foreword 


The GDPR has the potential to change digital 
life for the better. But two years after its 
introduction, the GDPR is at risk of failing. 


Every day, people are confronted with 
misleading consent requests, uncontrolled 
tracking and surveillance in online 
advertising, and large tech firms’ uncanny 
knowledge of their intimate lives. The GDPR 
has had little impact. 


This report reveals why: the EU Member 
States have not given data protection 
authorities (DPAs) the tools they need to 
enforce the GDPR. 


Brave has investigated the number of tech 
specialists working in DPAs on tech 
investigations. These are people that have 
training or roles that are principally technical. 
Our data reveal just how few tech specialists 
Europe's DPAs have to investigate private 
sector GDPR infringements. 


Even when wrongdoing is clear, DPAs 
hesitate to use their powers against major 
tech firms because they can not afford the 
cost of legally defending their decisions 
against ‘Big Tech’ legal firepower. 


DPAs must be able to properly investigate, 
and act without fear of vexatious appeals. 
Robust, adversarial enforcement is essential. 


Fault lies with national governments, 
rather than DPAs. Article 52(4) of the GPDR 
requires that national governments give 
DPAs the human and financial resources 
necessary to perform their tasks. Almost no 
governments have done so. 


Therefore, it is essential that the European 
Commission intervene. The EU Treaties give 
the European Commission the power to 
launch an infringement procedure against EU 


Member States that fail to implement EU law. 


The Commission should do so now. 
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The cost will be high if the GDPR loses 
credibility: the EU's regulatory influence will 
diminish, and data misuse will harm citizens 
and society. 


Member State governments can save the 
GDPR, but they must act urgently. We 
recommend three steps: 


1. Expand DPA tech specialist teams; 

2. Fund DPAs to fight big tech in court 
whenever necessary to defend their 
enforcement decisions; and 

3. Develop an EU unit to assist national 
DPAs in tech investigations. 


We hope that this report sours governments 
to act, and ask the European Commission to 
ensure that they do. 


Johnny Ryan 
Chief Policy & Industry 


Relations Officer, Brave 
April 2020 
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Two years after the GDPR was first applied, the principles of data protection remain almost entirely unenforced online. This 
report reveals why. European Governments are not providing technical staff and budgets for major legal contests to their 
national data protection authorities. As a result, DPAs can not hold Big Tech to account. At the most extreme, GDPR 
enforcement authorities have no specialist tech investigation staff, and tiny budgets. 
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Key insights 


European Member State governments have failed to develop tech enforcement 
capacity to deliver on the GDPR. 


Only 6 national DPAs have more than 10 specialist tech investigation staff. 
7 data protection authorities have 2 tech specialists or less. 


Half of all national DPAs receive small (€5 million or less) annual budgets from their 
governments. 


The Irish Data Protection Commission is Google and Facebook's ‘lead authority’ GDPR 
regulator in Europe. But while the number of complaints it deals with is accelerating, increases 
to its budget and headcount are decelerating. 


The UK's Information Commissioner's Office (ICO) is by far the biggest and most expensive 
national DPA to operate. But only 3% of its staff are tech specialists. 


Increases to DPA budgets peaked for the application of the GDPR. Governments have now 
slowed this increase. 


Almost a third (29%) of all of the EU’s tech specialists work for one of Germany’s Lander 
(regional) or federal DPAs. All other EU countries are far behind Germany. 
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305 


Number of tech specialists in 
Europe s DPAs 


14 


DPAs receive budgets under 
€5 million from government. 


3% 
Of the 680 staff at the UK 
ICO focus on tech 


21 


Number of tech enforcement 
roles at the Irish DPC 
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Specialist tech investigators versus other staff in Europe’s DPAs 
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e EU DPAs have a combined total of 305 tech specialists 7 10130 
(including unfilled roles) dealing with private sector data hợp 162 
processing. They work in 45 separate agencies. This excludes g 224 
three DPAs that deal with the public sector (Germany's Bayern @ vrave 
public sector DPA, and Spain's Basque and Catalan DPAs). 


e Half of Europe's national DPAs have only five tech specialists or 


less. 


e Germany alone accounts for 29% of Europe's DPA tech 


specialists. 


Austria, Belgium, us, and Latvia rely on externa ult 
Esti ed on DPA onse ord 


Governments have not 
equipped their DPAs for 
tech sector enforcement 


National governments have not properly funded their data 
protection authorities, and DPAs lack the tech expertise to 
do their jobs. 


The findings: 


e = Half of all European governments provide annual budgets of 
only €5 million or less to their data protection authorities. 


e The UK's comparatively large budget is not reflected in a bigger 
tech specialist team. Though the UK ICO’s budget is three times 
that of France's CNIL, the CNIL has more tech specialists than 
the ICO. 


e Germany's position is unique. 


Number of specialist tech investigators 
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60 


40 





@ brave 


DPA annual budgets, and number of tech specialists 


German y 
(federal & Lander combined) 


60 80 100 120 


Annual budget (millions €) 


Nearly every European 
government underfunds 


its DPA 


Despite some investments, Europe's governments slowed 
the growth of their DPAs in 2020. 


The findings: 


Annual increases to DPA budgets peaked at 24% in 2019 for the 
application of the GDPR, but have now slowed to 15%. 


Estonia's government allocated the third-smallest annual 


budget (€750,331) in 2019, and made no increase to this in 2020. 


Portugal reduced the budget of its DPA (by €203,000) between 
2018 and 2020. 


The combined budget of all 45 EU DPAs that deal with private 
sector data is a third of a billion Euro (€325,896, 343). 
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Combined increase in EU DPA budgets 


e 


Year over year increase, in millions of euro, rounded. 


€56.1 
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DPA budgets, increase from 2018-2020 


in millions of euro, rounded. Increase in lighter hue. 
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Denmark 
Finland 
Hungary 
Greece 
Portugal 
Austria 
Slovenia 
Slovakia €1.9 
Lithuania €1.6 
Bulgaria €1.4 
Croatia €1.3 
Romania €1.3 
Latvia €1.2 
Estonia $ €0.8 
Malta f €0.6 
Cyprus Į €0.5* 








@ brave 


GDPR enforcers need many more tech specialists 


The findings The bottom line 


Much of life is lived online. Tech investigation and enforcement 
should be a high priority for DPAs. But this chart shows that they lack 
` the capacity to examine how people's personal data is used by tech 
e Only 6 national DPAs out of 28 have 10+ tech specialists. eros 


e 7 European Member States’ national data protection 
authorities have only 2 or fewer tech specialists. 


Specialist tech investigators at EU data protection authorities 


tAustria, Belgium, Cyprus, and Latvia rely on external consultants. 
ioana tEstimate based on DPA response or data. 
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Lux. Belgium Croatia Czech R. Hungary Lithuan. Netherl. Slovenia Sweden 


Germany leads Europe 


German Lander (regional states) invest more than most 
national governments. 


The findings: 


A single Lander DPA, the Unabhangiges Landeszentrum fur 
Datenschutz (ULD), of Schleswig-Holstein, has more tech 
specialists than all but 7 national DPAs. 


Two German DPAs are not included on this chart: 


The Federal Commissioner for Data Protection and Freedom of 
Information (BfDi) has 185 staff, 22 of these roles (including 10 
vacancies) are tech specialists. B†DI is responsible for postal and 
telecommunications services, government departments and 
federal institutions. 


Bayern has a separate DPA that deals with the public sector. Its 
44 staff include 5 tech specialists. 


Though Germany's tech specialist teams are comparatively large 
many German DPAs complain about inadequate resources. 
Germany's tech investigations are split between 18 different 
organisations (16 Lander and one federal DPA). 


Lander DPAs: —.. - my versus other staff 
ded. ` 


Full-time equivale 


Brandenburg 
Schleswig-Holstein 
Bayern 
Nordrhein-Westfalen 
Niedersachsen 
Baden-Wirttemberg 
Hessen 

Hamburg 
Sachsen-Anhalt 
Berlin 

Thüringen 
Rheinland-Pfalz 
Sachsen 
Vorpommern 
Bremen 


Saarlandt 
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| rish G overn ment S | OWS Growth in Irish Data Protection Commission 


budget, staff, and complaints 


the DPC’s surge fuer 


lrish Government investment in its data protection 
authority has slowed. 





Budget 






The findings: 


i 37% requested 


e The Irish Data Protection Commission (DPC) is the ‘lead 
authority’ in Europe responsible tor supervising Google, 


Facebook, and several other large tech firms. ! 10% 
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e The DPC is responsible for investigating more cases as lead | 
2017 2018 2019 2020 


authority than any other DPA. 
e 15% of DPC staff, 21 people, are specialist tech investigators. Lead authority case load per country 


e While the number of complaints it deals with is accelerating, the 
Irish Government's build up of the DPC’s budget and staff is 


decelerating. @ vrave 
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Only 3% of the UK ICO'“s 
staff is focussed on tech 


The UK ICO costs the most to operate, but this has not 
resulted in a tech capacity that is fit for purpose. 


The findings: 


e The UK Information Commissioner's Office (ICO) spends 
significantly more money than any other DPA, but this has not 
translated in to a large tech capacity. 


e - Spain's AEPD and France's CNIL have larger tech specialist teams, 
but cost a third of what the ICO costs to operate. 


e Only 1 person in 30 at the ICO is focussed on tech issues. 
Analysis: 


The ICO budget budget doubled between 2018 and 2020 from €30 to 
€61 million. A modest investment in tech specialists in proportion to 
the ICO's budget could make a large impact on the ICO’s capacity to 
properly engage with tech issues. 


Expenditure from 2000 to 2020 of the DPAs with 


the most ‘lead authority’ cases. 
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Executive director 


Principal cyber Principal cyber Principal cyber Team manager Team manager Head of tech. Head of privacy Tech. adviser Tech. adviser 
investigations investigations investigations policy innovation (secondment) (secondment) 
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Lead technical Lead technical Group manager Group manager 

investigations investigations technology digital economy 
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How to save the GDPR sania tu gác ewe — 


Governments have failed to implement Article 52 (4) of the Artide 52 
GDPR. But it IS not tOO late. Independence 

. 1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers 
N ationa | recommen d ations in accordance with this Regulation. 


2. The member or members of each supervisory authority shall, in the performance of their tasks and exercise of 


r G overnments sh ou | d inv est in fa r more SD e Ci a | ist te ch their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and 


shall neither seek nor take instructions from anybody. 


investigators, and pay competitive salaries to attract top talent. 


3. Member or members of each supervisory authority shall refrain from any action incompatible with their duties 
and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not. 


e Governments should provide the finance to allow DPAs to pursue 





Each Member State shall ensure that each superviso 





4. 





adversarial enforcement, and to defend their decisions against 





and exercise of its 


expensive legal appeals by Big Tech. This is pa rticularly necessary powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the 
° Board. 


for ‘lead authority’ DPAs in major cases, and where the resoo DPA 








decisions m ight g Ive rise to civil litigation against : 5. Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be 
subject to the exclusive direction of the member or members of the supervisory authority concerned. 


EU-level recommendations 


6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not 
affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national 
budget. 


e The secretariat of the European Data Protection Board (provided 
by the European Data Protection Supervisor) should establish a 
tech investigative unit to support national DPAs. This unit requires 
a substantial permanent staff, and a small rotating temporary staff 
from national DPAs. 


e The European Commission should launch an infringement 
procedure against EU countries that fail to implement Article 52(4) 
of the GDPR. It should refer countries to the European Court of 
Justice if necessary. 


Protect your privacy 


Brave is a new, private web browser. It 
brings unmatched speed and battery life. 
And it also blocks data-grabbing ads and 
trackers. 


Millions of people use Brave to make the 
web quicker and safer. You can download 
it for your phone or computer at 
Brave.com and browse the web with 
confidence. 


"Brave, the upstart browser that makes 
privacy a priority, ranked the highest”, 
said Wired in a review of how well 
browsers protect their user's privacy. 





Find more Brave research and insights at 
brave.com/insight/ 
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Brave the new Internet 


Get ready to enjoy a faster and more secure browsing 


experience with a browser built to protect your privacy. 
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Methodology, caveats, and references 


Methodology: 


1. Brave contacted 28 EU Member State national DPAs, 17 
Lander German DPAs (Bayern has 2), and 3 EEA national 
DPAs. Brave asked: 


“How many employees (full-time equivalents) with a 
technical (IT) background are involved in either 
investigation or enforcement work at the [name of DPA]? 
This would include staff whose training or role is 
principally technical, but exclude those employed for 
internal IT purposes.” 


2. Total staff figures were taken from published materials of each 
DPA. Where necessary, these were checked and updated in 
direct correspondence with DPAs. 


3. Data for the chart “Growth in Irish Data Protection 
Commission budget, staff, and complaints “ are from that 
organization's accounts, annual reports, and its 2020 pre- 
budgetary submission to the Irish Government. 


4. Budget charts on pages 4 to 6 use figures from the European 
Data Protection Board “Contribution to the evaluation of the 
GDPR“, February 2020, pp. 28-9. 


6. Data for the chart “Lead authority case load per country” on 
page 9 are from EU Internal Market Information System (IMI). 
Note that the IMI does not register complaints that a lead 
authority DPA receives directly from a complainant in a 
different country. The IMI also may group several different 
data protection matters and entities in a single item. These 
numbers therefore are undercounts. 


The chart “Expenditure from 2000 to 2020 of the DPAs with 
the most ‘lead authority’ cases” shows the annual expenses of 
each DPA, rather than the budgets allocated by governments. 
Figures for the UK, Luxembourg, Ireland, Germany (federal), 
and Nordrhein-Westfalen are taken from their annual 
accounts for each year. Figures for France's CNIL are taken 
from the French Government open data platform. UK 
budgets were taken from annual reports. The ICO first started 
to publish an annual report in 2004. Where UK budget is 
tracked from 2003-2020 and presented in Euro, the exchange 
rate from British Sterling to Euro in late December of each 
budget year has been applied. Where expenditure for 2019 
and 2020 is not available, EDPB figures (note 4) are used. 


The ICO organigram on page 9 reproduces the ICO's own 
organigrams, which Brave obtained in response to a freedom 
of information request to the ICO. 


Charts and figures do not include four DPAs that deal only 
with public sector data processing: the Agencia Catalana de 
Protección de Dades (Catalan public sector), the Agencia 
Vasca de Protección de Datos (Basque public sector), Der 
Bayerische Landesbeauftragte für den Datenschutz (Bavarian 
public sector), and the European Data Protection Supervisor 
(EU institutions). Nor is the Žurnalistų etikos inspektoriaus 
tarnyba, which monitors data protection issues in the 
Lithuanian press, included in this report. 


The tech specialist figure for Greece includes 5 new tech 
specialists who would have started already but for the 
Covid-19 outbreak. 
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Caveats: 


This report uses the term “tech specialist” or “specialist tech 
investigator” to denote any person who has a role in technology 
investigation and enforcement. This is broadly framed to give DPAs 
the benefit of the doubt. It includes policy, research, and 
certification roles focused on tech. It excludes internal “IT” staff 
that maintain software and hardware at the DPA. 


Many national DPAs have duties beyond data protection 
supervision, such as transparency, use of public sector data, 
security, etc. that draw on their tech capacity. 


